Xiaomi WiFi Router 3G V2

0ryn · September 8, 2019, 1:46pm

Did your flash work? ie were you able to enter the uboot menu? If so could you post your r3gv2-edited.bin file somewhere. My unit has the latest firmware and I think they may have defeated the edit the text method that we are using.

abdulaziz.amar · September 11, 2019, 2:52am

Yes, I was able to enter the menu.

I tinkered around first, and what I was able to found out, if I booted the stock firmware or change the uboot env (like to toggle uart_en and ssh_en from 0 to 1), the menu somehow will no longer respond to my command. I flashed the edited backup three times total before I was able to flash openwrt via TFTP.

abdulaziz.amar · September 12, 2019, 1:44am

Here's my dump and openwrt by @Gingernut all in one place:

https://drive.google.com/drive/folders/1FwiBe9vZy02jAwgGKt8qKI5Of38DDDXK?usp=sharing

The .md5sum files contain the expected md5 for each file, so you sure that the file is not corrupted while downloading.

sndfrbr · September 14, 2019, 12:43pm

Hi Guys,

What exactly did you change in the flash to make this work?
I've tried a couple of things, but so far I am not able to do anything in the boot menu.

Update: so what I tried and not working:

$ xxd r3gv2_original.bin | grep bootdelay
00019690: 626f 6f74 6465 6c61 7900 0000 6f66 6600  bootdelay...off.
$ xxd r3gv2_modified.bin | grep bootdelay
00019690: 626f 6f74 6465 6c61 7900 0000 2e2e 3500  bootdelay.....5.

$ xxd r3gv2_original.bin | grep boot_wait
0001c8d0: 5632 0062 6f6f 745f 7761 6974 3d6f 6666  V2.boot_wait=off
$ xxd r3gv2_modified.bin | grep boot_wait
0001c8d0: 5632 0062 6f6f 745f 7761 6974 3d6f 6e2e  V2.boot_wait=on.

Update2: I made a mistake there when edited the the file, I changed the string "off" to "..5" and dots are 2e in the hex (LOL) ... changed those to zeros and flashed again... but still, there is no countdown at the bootloader.

$ xxd r3gv2_modified.bin | grep bootdelay
00019690: 626f 6f74 6465 6c61 7900 0000 0000 3500  bootdelay.....5.

Gingernut · September 15, 2019, 6:14am

I only changed the bootdelay string from off to 5, didn't touch anything else.

0ryn · September 15, 2019, 4:36pm

Yup, I had the same problem with mine, then I blew it up by connecting the test clip round the wrong way (Doh!!). I ordered a new unit and I've dumped the rom before powering it up. I was thinking about chopping up the image at OS and catting the openwrt flash to the end of the cut file, then padding the end with zeros. Because if you have an SPI programmer why mess about with small stuff when you can just direct flash openwrt. (Well hopefully)

sndfrbr · September 15, 2019, 5:12pm

Finally, I was able to install Openwrt on it. My USB to TTL tricked me, as soon as I switched it to the flasher's TTL, I was able to interrupt the boot and install initramfs via TFTP.


root@OpenWrt:~# cat /tmp/sysinfo/model
Xiaomi Mi Router 3G v2
root@OpenWrt:~# uname -a
Linux OpenWrt 4.14.143 #0 SMP Sat Sep 14 15:11:45 2019 mips GNU/Linux

wenter · September 18, 2019, 11:47pm

Does anyone has an image of the current firmware that can be uploaded via Breed?

Gingernut · September 20, 2019, 6:36am

A newer firmware build?

Breed can't take sysupgade.img?

wenter · September 20, 2019, 3:58pm

I have tried to upload sysupgrade.bin via breed and it did not take the firmware.

Gingernut · September 20, 2019, 4:56pm

If you already have OpenWRT installed no need to use breed to update, just use CLI or LUCI.

wenter · September 20, 2019, 5:16pm

I have tried that as well. I have initially flashed the SPI chip with Openwrt 18.06 SPI firmware to get Breed bootloader. Then I have tried to flash new firmware through LUCI and CLI. Router did not boot at all after that. I have tried to use "sysupgrade -F -v -n". Since then I have soldered on UART connector and I am going to try to flash current firmware once again.

Gingernut · October 4, 2019, 5:46am

I've built an updated firmware off master branch, which is available here:

https://drive.google.com/file/d/1-CYRstTZoUlPlOZg7_T5YJV762txHWJp/view?usp=drivesdk

It has some included packages:
LuCI
BanIP
Simple Adblock
WiFi Schedule
UPnP
Dynamic DNS
Wake On Lan
SQM QOS
Wireguard

Seems no PR support request has been issued for this device so far, not sure why.

juppin · October 4, 2019, 5:58am

There is one at the openwrt mailing list where the most openwrt development is discussed...

Double-G · October 12, 2019, 11:13pm

Damn this was complicated, but thanks to your explanations and hints, I managed to flash the device.
The guide from @rogerpueyo and instructions from @araujorm were super helpful and are much better than my description.

Equipment needed:

the MI router 4A Gigabit Edition (On the board they printed "MI M43 R0101l. This is a MI router 4a with Gigabit, similar to the Mi Router 3G V2 but with "cut corners").
USB to serial adapter, 3.3volts
USB ch341a flash programmer with cramp-cable (mine cost <=5$ and was bought at aliexpress)
Linux and the flashrom-tool and tftpd-hpa
The images in the google drive mentioned here in this thread must NOT be used, it would overwrite your mac addresses. Instead dump your router's firmware and edit the value of bootdelay.

Hardware preparations:

open the router
do NOT connect the power cable to the router
connect the USB-to-serial adapter to the serial-pin holes. TX router to RX usb-adatper, RX router to TX usb-adapter, GND to GND. Do not connect 3.3V, it stays empty as most usb-serial-adapter do not supply enough power.
connect the clamp to the flash-chip. The red wire (=pin1) must be at the upper right side which means close to the antennas. The flash-chip has a round notch that marks pin 1 - do not mix it up with the yellow round marking that is printed on it. I had to position it 5-10 times before I got a connection.

flash-chip.jpg1011×1251 69 KB
connect the other end of the the clamp-cable to the ch341a flasher and make sure to put the red wire to the pin1-slot and to use the SPI/BIOS-slot and not the eeprom one.
There is NO additional 3.3 volt feed from the ch341a-programmer to the router's 3.3v-pinhole next to the serial-pins necessary. You can skip this step. I connected the cable but it would not have been necessary.

total-view.jpg2016×974 109 KB

Reading from flash:
Run flashrom --programmer ch341a_spi -c "GD25Q128C" --read r4ga-orig.bin on your linux pc connected to the programmer.
Then modify the dumped bios as mentioned in this post and change the bootdelay-value.
Do NOT simply use the r3g-edited.bin provided in this thread, as you will overwrite your mac-adresses of eth0, eth1, wlan0 and wlan1.

Writing to flash:
Run flashrom --programmer ch341a_spi -c "GD25Q128C" --write r3gc2-edited.bin on your linux pc connected to the programmer.

It takes about 10 minutes to flash.
If you see the error message "No EEPROM/flash device found." check the cable connection. Both red lights on my ch341a-adapter are lit when there is a proper connection.
I had to use a USB3-HUB to provide enough power to it, the programmer will not work properly on USB2.0. In case the program cannot erase the flash and begins probing different methods for erasing, you did not properly connnect all of the pins. Remove and reattache the clamp and then try again.

After a succesfull flash, disconncet the cramp/ch341a adapter.
The bootloader of router will now accept firmware-images that are not signed by xiaomi.

Prepare the tftp-daemon (apt install tftpd-hpa), but the openwrt-rampis-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade-01-10-2019.bin in /var/lib/tftpboot
Assign the ip 192.168.31.100/24 to your PC and connect the LAN-cable to the router.

Power the router, hold the reset button and watch the serial console.
You should see a prompt Please choose the operation: 1: Load system code to SDRAM via TFTP. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). 4: Entr boot command line interface. 7: Load Boot Loader code then write to Flash via Serial. 9: Load Boot Loader code then write to Flash via TFTP.
choose 2 and press it or hold it.
confirm Y.

Specify the IP of the router and your tftp-server (e.g. 192.138.31.1 = router, 192.168.31.100 = tftp). Enter the filename of the openwrt-sysupgrade-imagefile.

2: System Load Linux Kernel then write to Flash via TFTP.
 Warning!! Erase Linux in Flash then burn new one. Are you sure?(Y/N)
 Please Input new ones /or Ctrl-C to discard
        Input device IP (192.168.31.1) ==:192.168.31.1
        Input server IP (192.168.31.2) ==:192.168.31.100
        Input Linux Kernel filename () ==:openwrt-mir3g-v2.bin

 NetTxPacket = 0x87FE52C0

 KSEG1ADDR(NetTxPacket) = 0xA7FE52C0

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!!
TFTP from server 192.168.31.100; our IP address is 192.168.31.1
Filename 'openwrt-mir3g-v2.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80100000
Loading: T T  Got ARP REPLY, set server/gtwy eth addr (18:db:f2:38:0a:18)
Got it
checksum bad
#################################################################
         #################################################################
         #####################################checksum bad
############################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ############################
done
Bytes transferred = 8127244 (7c030c hex)
LoadAddr=80100000 NetBootFileXferSize= 007c030c
 Writing OS1 to 0x180000
raspi_erase_write: offs:180000, count:7c030c
raspi_erase: offs:180000 len:7c0000
........................................................................................................................................................................................................................
............................................................................................................................
raspi_erase: offs:940000 len:10000
.
.
Done!
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
Booting System 1
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
## Booting image at bc180000 ...
   Image Name:   MIPS OpenWrt Linux-4.14.146
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2015401 Bytes =  1.9 MB
   Load Address: 80001000
   Entry Point:  80001000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
commandline uart_en=0 factory_mode=0 mem=128m root=/dev/mtdblock9
No initrd
## Transferring control to Linux (at address 80001000) ...
## Giving linux memsize in MB, 128

Starting kernel ...

The router flashes and reboots into openwrt and is reachable on 192.168.1.1.
done.

franz3x8 · October 14, 2019, 12:41am

@Double-G

as Andrew stated on the 4A gigabit thread no need to connect the 3.3v-pin from the CH341a to the 3.3 hole of the router, as the CH341A already pushes out 5 volts if used on a USB 3 socket. Though again its seems your lucky since nothing bad happened.

check post here:

3.3v-pin

Double-G · October 14, 2019, 7:26am

@abdulaziz.amar I used your r3gv2-edited-image and now my Mac is set to radio0: EC4118C8D42E.
Is is possible that it was stored in the image and not in a separate eeprom?
Is the mac I stated the one of your router?

abdulaziz.amar · October 14, 2019, 8:06am

Well yes, it is all stored on that the one chip.

You can edit it to your MAC Address with a hex editor, the default value and address are:

radio0: EC 41 18 C8 D4 2E (0x50004)
radio1: EC 41 18 C8 D4 2F (0x58004)
eth0.1: EC 41 18 C8 D4 2C (0x5E000)
eth0.2: EC 41 18 C8 D4 2D (0x5E006)

Please make sure you don't fill the exact MAC Address twice to avoid further problem.

Double-G · October 15, 2019, 8:43am

Thanks, I edited them based on the mac for eth0.1 that was printed on the router's enclosure and all is fixed now.
Still some values like model show r3gv2 although this is r4g, but it doesn't seem to matter.

Gingernut · October 27, 2019, 5:01pm

Great news.

Looks like this model has been given official support in master branch.